Estonia: The cyber-defense capitol of the world

The World

This story was originally reported by PRI’s The World. For more, listen to the audio above.

The next major war may not be fought with tanks and planes, but rather over the internet. Estonian President Toomas Hendrik recently said, “Today you don’t need an Army; all you need is a keystroke.” Speaking at a conference by The Cooperative Cyber Defense Center of Excellence in Tallinn, Hendrik gave a stern warning:

There is time for governments to get their heads out of the sand. Our critical infrastructure, our electricity grids, transportation and mobile phone networks today are so enmeshed and tied to the internet that any open society is vulnerable to complete and utter failure.

Much of the world is living in a pre-September-11-style mentality concerning cyber attacks, according to James Fallows in the Atlantic. There has been no large-scale attack that has forced people to take notice of how vulnerable people are. And many companies, who are often the targets of cyber-attacks, have a vested interest in concealing their own vulnerabilities. He writes:

No bank or investment house wants to admit how close it has come to being electronically robbed. As a result, the changes in law, regulation, concept, or habit that could make online life safer don’t get discussed. Sooner or later, the cyber equivalent of 9/11 will occur — and, if the real 9/11 is a model, we will understandably, but destructively, overreact.

In fact, many of these attacks are already happening, though few have noticed. In an excellent review of the book “Cyber War” by Richard Clarke, Jack Goldsmith tells a story demonstrating how cyber-attacks can work:

For several months in late 2009, computer operators in China scoured Google Web pages and networking sites such as Facebook and LinkedIn to gather personal information on high-level Google employees working in China. They used this information to create and send a Google employee (probably a network administrator) an instant message that convincingly appeared to be written by a friend or co-worker. The message contained a link to a computer in Taiwan that the Chinese operators had taken over and loaded with a software “payload” designed to exploit a previously unknown vulnerability in Microsoft’s Internet Explorer.

When the Google employee clicked on the link, through her Explorer browser, to a fake but credible website on the Taiwan computer, the payload was secretly delivered to and installed on her computer, creating a virtual “trapdoor.” The Chinese operators marched through this trapdoor. They surreptitiously took over the Google employee’s machine. Acting from computers in China but appearing to be a trusted user inside Google’s computer network in Mountain View, California, they gained access to information about the accounts of democratic dissidents in China as well as some of Google’s crown jewels, including its intellectual property, its development plans, and its password system. The same operation that hacked into Google also infiltrated scores of other prominent American information technology and defense firms.

Estonia is a natural center for cyber-defense, in part because it has already fallen victim to large-scale cyber-attacks. The country is highly-networked — online banking and paying for parking with cell phones are the norm. In 2007, though, computers from more than 100 different countries attacked Estonia’s infrastructure, crippling the country’s web services. To date, only one person — a young student — has been tried and convicted for taking part in the attacks.

Many in the country are now trying their best to make sure an attack like that never happens again. Estonia’s Defense Minister, Jaak Aviksoo, told PRI’s The World, “In conventional military conflicts, we know more or less what the risks are and how to handle those. In cyber defense we don’t know. So it all has to be worked out in the process of fighting real threats.”

At the same time, the militaristic mindset surrounding cyber-security may be setting the world up for serious problems in the future. Security expert Bruce Schneier recently wrote for CNN:

We surely need to improve our cybersecurity. But words have meaning, and metaphors matter. There’s a power struggle going on for control of our nation’s cybersecurity strategy, and the NSA and DoD are winning. If we frame the debate in terms of war, if we accept the military’s expansive cyberspace definition of “war,” we feed our fears.

We reinforce the notion that we’re helpless — what person or organization can defend itself in a war? — and others need to protect us. We invite the military to take over security, and to ignore the limits on power that often get jettisoned during wartime.

The peace that currently reigns on the internet may not be perfect, but the freedoms enjoyed there are probably worth holding on to.

PRI’s “The World” is a one-hour, weekday radio news magazine offering a mix of news, features, interviews, and music from around the globe. “The World” is a co-production of the BBC World Service, PRI and WGBH Boston. More “The World.”

Sign up for our daily newsletter

Sign up for The Top of the World, delivered to your inbox every weekday morning.